diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2023-07-14 19:24:02 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-07-22 16:24:17 -1000 |
commit | fcb0381657175255922780a84a432bfc84fa8679 (patch) | |
tree | 4be212fb48ea4555ab8e303b598686960ebe3b2b /meta | |
parent | 1adc1600f265850cffea7314c7185a222ae5a324 (diff) | |
download | poky-fcb0381657175255922780a84a432bfc84fa8679.tar.gz |
qemu: backport Debian patch to fix CVE-2023-0330
import patch from ubuntu to fix
CVE-2023-0330
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
(From OE-Core rev: 559327579bcee685c6dc22b7ad5595960aa896c0)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch | 77 |
2 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 8d6c4050f7..352277573b 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -137,6 +137,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
137 | file://CVE-2021-3409-4.patch \ | 137 | file://CVE-2021-3409-4.patch \ |
138 | file://CVE-2021-3409-5.patch \ | 138 | file://CVE-2021-3409-5.patch \ |
139 | file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ | 139 | file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ |
140 | file://CVE-2023-0330.patch \ | ||
140 | " | 141 | " |
141 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 142 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
142 | 143 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..26e22b4c31 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | [Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not | ||
2 | exist for this release] | ||
3 | From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001 | ||
4 | From: Thomas Huth <thuth@redhat.com> | ||
5 | Date: Mon, 22 May 2023 11:10:11 +0200 | ||
6 | Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI | ||
7 | controller (CVE-2023-0330) | ||
8 | |||
9 | We cannot use the generic reentrancy guard in the LSI code, so | ||
10 | we have to manually prevent endless reentrancy here. The problematic | ||
11 | lsi_execute_script() function has already a way to detect whether | ||
12 | too many instructions have been executed - we just have to slightly | ||
13 | change the logic here that it also takes into account if the function | ||
14 | has been called too often in a reentrant way. | ||
15 | |||
16 | The code in fuzz-lsi53c895a-test.c has been taken from an earlier | ||
17 | patch by Mauro Matteo Cascella. | ||
18 | |||
19 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563 | ||
20 | Message-Id: <20230522091011.1082574-1-thuth@redhat.com> | ||
21 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
22 | Reviewed-by: Alexander Bulekov <alxndr@bu.edu> | ||
23 | Signed-off-by: Thomas Huth <thuth@redhat.com> | ||
24 | |||
25 | Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27 | ||
26 | |||
27 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security | ||
28 | Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] | ||
29 | CVE: CVE-2023-0330 | ||
30 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
31 | --- | ||
32 | hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ | ||
33 | tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++ | ||
34 | 2 files changed, 50 insertions(+), 6 deletions(-) | ||
35 | |||
36 | --- qemu-4.2.orig/hw/scsi/lsi53c895a.c | ||
37 | +++ qemu-4.2/hw/scsi/lsi53c895a.c | ||
38 | @@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState | ||
39 | uint32_t addr, addr_high; | ||
40 | int opcode; | ||
41 | int insn_processed = 0; | ||
42 | + static int reentrancy_level; | ||
43 | + | ||
44 | + reentrancy_level++; | ||
45 | |||
46 | s->istat1 |= LSI_ISTAT1_SRUN; | ||
47 | again: | ||
48 | - if (++insn_processed > LSI_MAX_INSN) { | ||
49 | - /* Some windows drivers make the device spin waiting for a memory | ||
50 | - location to change. If we have been executed a lot of code then | ||
51 | - assume this is the case and force an unexpected device disconnect. | ||
52 | - This is apparently sufficient to beat the drivers into submission. | ||
53 | - */ | ||
54 | + /* | ||
55 | + * Some windows drivers make the device spin waiting for a memory location | ||
56 | + * to change. If we have executed more than LSI_MAX_INSN instructions then | ||
57 | + * assume this is the case and force an unexpected device disconnect. This | ||
58 | + * is apparently sufficient to beat the drivers into submission. | ||
59 | + * | ||
60 | + * Another issue (CVE-2023-0330) can occur if the script is programmed to | ||
61 | + * trigger itself again and again. Avoid this problem by stopping after | ||
62 | + * being called multiple times in a reentrant way (8 is an arbitrary value | ||
63 | + * which should be enough for all valid use cases). | ||
64 | + */ | ||
65 | + if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { | ||
66 | if (!(s->sien0 & LSI_SIST0_UDC)) { | ||
67 | qemu_log_mask(LOG_GUEST_ERROR, | ||
68 | "lsi_scsi: inf. loop with UDC masked"); | ||
69 | @@ -1597,6 +1606,8 @@ again: | ||
70 | } | ||
71 | } | ||
72 | trace_lsi_execute_script_stop(); | ||
73 | + | ||
74 | + reentrancy_level--; | ||
75 | } | ||
76 | |||
77 | static uint8_t lsi_reg_readb(LSIState *s, int offset) | ||